GitLab Duo Security - AI-Powered Security Analysis

Overview

GitLab Duo enhances security throughout the software development lifecycle with AI-powered vulnerability detection, analysis, and remediation. Security features help teams identify and fix vulnerabilities faster while reducing false positives.

Key Security Features

1. SAST False Positive Detection

Available: GitLab 18.7+ Requires: GitLab Ultimate

AI-powered analysis to identify false positives in Static Application Security Testing (SAST) results.

How It Works

When SAST scan completes:

1. GitLab Duo analyzes Critical and High severity findings
2. Examines code context and vulnerability characteristics
3. Determines likelihood of false positive
4. Provides detailed explanation
5. Assigns confidence score

Example Analysis

SAST Finding: Command Injection (Critical)
File: admin_tools.py, Line 42
Pattern: subprocess.call with user input

AI Assessment: False Positive (90% confidence)

Explanation:
The flagged code uses subprocess.call, but the command is
constructed from a whitelist of predefined operations. User
input is only used to select from this whitelist, not to
construct arbitrary commands.

Code Context:
ALLOWED_OPERATIONS = ['backup', 'restore', 'status']
operation = user_input
if operation not in ALLOWED_OPERATIONS:
    raise ValueError("Invalid operation")
subprocess.call(['/usr/bin/admin_tool', operation])

Recommendation: Mark as false positive
Reason: Input validation prevents command injection

Benefits

• Reduced Noise: Focus on real vulnerabilities
• Faster Triage: Less time investigating false positives
• Better Prioritization: Address critical issues first
• Team Efficiency: Developers trust security findings

Configuration

# .gitlab-ci.yml
include:
  - template: Security/SAST.gitlab-ci.yml

variables:
  SAST_AI_ANALYSIS: "true"  # Enable AI analysis
  SAST_AI_CONFIDENCE_THRESHOLD: "70"  # Confidence threshold

2. Vulnerability Explanations

Available: GitLab Ultimate

AI-generated explanations for security vulnerabilities.

Features

Detailed Analysis:

• What the vulnerability is
• Why it's dangerous
• How it can be exploited
• Real-world attack scenarios
• Severity justification

Example Explanation:

CVE-2024-1234: SQL Injection in User Authentication

What:
This vulnerability allows attackers to inject SQL commands
through the login form's username field.

Why It's Dangerous:
Successful exploitation can lead to:
- Unauthorized access to user accounts
- Data breach (user credentials, personal info)
- Database manipulation or deletion
- Potential system compromise

How It's Exploited:
1. Attacker enters: admin' OR '1'='1
2. SQL query becomes:
   SELECT * FROM users WHERE username='admin' OR '1'='1' AND password=...
3. The OR '1'='1' condition is always true
4. Attacker bypasses authentication

Attack Complexity: Low
Exploit Availability: Public exploits exist
Affected Versions: 2.0.0 - 2.5.3

Severity: Critical (CVSS 9.8)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None

Usage

In Security Dashboard:

1. View vulnerability
2. Click "Explain with AI"
3. Review generated explanation
4. Share with team

Via API:

curl --header "PRIVATE-TOKEN: <token>" \
  "https://gitlab.com/api/v4/projects/:id/vulnerabilities/:vuln_id/explain"

3. Vulnerability Remediation Suggestions

AI-powered fix suggestions for identified vulnerabilities.

Fix Types

Dependency Updates:

Vulnerability: Prototype Pollution in lodash
Package: lodash@4.17.15
Severity: High

AI Suggested Fix:
Update package.json:
{
  "dependencies": {
-   "lodash": "4.17.15"
+   "lodash": "4.17.21"
  }
}

Command:
npm install lodash@4.17.21

Breaking Changes: None
Migration Required: No
Test Coverage: Verify array manipulation functions

Verification Steps:
1. Update package.json
2. Run npm install
3. Run test suite
4. Deploy to staging
5. Monitor for issues

Code Changes:

Vulnerability: XSS in User Profile
File: profile.html, Line 23
Severity: High

Current Code:
<div>{user.bio}</div>

AI Suggested Fix:
<div>{sanitizeHtml(user.bio)}</div>

Required Changes:
1. Install DOMPurify: npm install dompurify
2. Import sanitizer:
   import DOMPurify from 'dompurify';
3. Sanitize user input:
   const sanitizeHtml = (dirty) => DOMPurify.sanitize(dirty);
4. Apply to all user-generated content

Additional Locations:
- user_comments.html, Line 45
- forum_posts.html, Line 78

Configuration Updates:

Vulnerability: Insecure Cookie Settings
Finding: HttpOnly flag not set
Severity: Medium

AI Suggested Fix:
Update server configuration:

# Express.js
app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
+   httpOnly: true,
+   secure: true,
+   sameSite: 'strict'
  }
}));

Security Benefits:
- httpOnly: Prevents JavaScript access to cookies
- secure: HTTPS-only transmission
- sameSite: CSRF protection

Testing:
1. Check cookies in browser DevTools
2. Verify flags are set
3. Test with HTTPS

4. Secret Detection

AI-enhanced secret detection prevents credential leaks.

Detection Capabilities

Types of Secrets:

• API keys
• Database passwords
• Private keys
• OAuth tokens
• AWS credentials
• JWT secrets
• Encryption keys

Detection Methods:

• Pattern matching
• Entropy analysis
• Context awareness
• Historical patterns

Example Detection

Secret Detected: GitLab Personal Access Token
File: deploy.sh
Line: 15

Code:
GITLAB_TOKEN="glpat-xxxxxxxxxxxxxxxxxxxx"
curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" ...

AI Analysis:
- Pattern: GitLab PAT format (glpat-)
- Entropy: High (likely real token)
- Context: Used in API call (confirmed)
- Risk: Critical (full API access)

Recommended Actions:
1. Revoke token immediately
2. Use CI/CD variables instead
3. Enable secret rotation
4. Audit access logs for misuse

Secure Alternative:
# Use GitLab CI/CD variable
curl --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" ...

Secret Validity Checks

GitLab 18.7+

Validates whether detected secrets are still active.

Secret Found: AWS Access Key
Status: ACTIVE (Validated)
Last Used: 2 days ago
Permissions: Full S3 access

Urgency: CRITICAL - Revoke immediately

Revocation Steps:
1. Navigate to AWS IAM Console
2. Find user: ci-deploy-user
3. Deactivate access key: AKIA...
4. Generate new key
5. Update CI/CD variable
6. Verify deployments work

5. Dependency Scanning with AI

Enhanced dependency vulnerability scanning.

Features

Vulnerability Context:

Package: axios@0.21.1
Vulnerability: Server-Side Request Forgery (SSRF)
CVE: CVE-2021-3749
Severity: Medium

AI Context Analysis:
Your Usage: Only used for internal API calls
Attack Vector: Requires attacker-controlled URL
Exploitability in Your Context: Low

Reason:
Your code only calls whitelisted internal endpoints:
- api/users
- api/orders
- api/products

No user-supplied URLs are passed to axios.

Recommendation: Low priority - Update during next
maintenance window.

If you add external API calls in the future,
prioritize this update immediately.

Transitive Dependency Analysis:

Direct Dependency: express@4.17.1
Vulnerable Package: qs@6.5.2 (transitive)
Vulnerability: Prototype Pollution

Dependency Chain:
express@4.17.1
   body-parser@1.19.0
       qs@6.5.2 (vulnerable)

AI Suggested Fix:
Update express to version 4.18.2, which includes:
- body-parser@1.20.1
   qs@6.11.0 (patched)

One update fixes entire chain.

6. Container Scanning

AI-enhanced container image vulnerability scanning.

Analysis Features

Image: node:14-alpine
Vulnerabilities: 47 (12 Critical, 15 High, 20 Medium)

AI Priority Analysis:

Critical Issues:
1. CVE-2023-1234 (OpenSSL)
   - Actively exploited in the wild
   - RCE vulnerability
   - Fix: Update to node:14.21-alpine
   Priority: IMMEDIATE

2. CVE-2023-5678 (libcurl)
   - High CVSS score (9.8)
   - But: Your app doesn't use curl
   Priority: MEDIUM (update, but not urgent)

Recommended Actions:
1. Update base image: node:14.21-alpine
2. This fixes 35 of 47 vulnerabilities
3. Remaining 12 are low severity
4. Schedule for next sprint

Alternative:
Consider node:20-alpine for longer support

7. License Compliance

AI-assisted license compliance checking.

Features

License Analysis:

Package: react@18.2.0
License: MIT
Compliance: APPROVED

Package: gpl-library@1.0.0
License: GPL-3.0
Compliance: VIOLATION

AI Explanation:
GPL-3.0 requires your entire project to be open-source
if you distribute your application. This conflicts with
your commercial license.

Options:
1. Remove gpl-library
2. Find MIT/Apache alternative
3. Contact legal team for exception
4. Make project open-source (unlikely)

Alternatives Found:
- apache-library (Apache-2.0) - Similar functionality
- bsd-library (BSD-3-Clause) - Compatible license

Security in Merge Requests

AI Code Review for Security

Beta: GitLab 17.10+

Automated security-focused code reviews.

Review Checks

Security Patterns:

MR #123: Add user data export feature

AI Security Review:

 Potential Issues Found:

1. Missing Authorization Check (High)
   File: exports_controller.py, Line 23

   Code:
   def export_data(user_id):
       return User.query.get(user_id).to_json()

   Issue: No verification that requester owns the data
   Fix: Add authorization check

   Suggested Code:
   def export_data(user_id):
       if current_user.id != user_id and not current_user.is_admin:
           raise Unauthorized()
       return User.query.get(user_id).to_json()

2. Potential Path Traversal (Medium)
   File: exports_controller.py, Line 45

   Code:
   filename = request.args.get('filename')
   with open(f'/exports/{filename}', 'r') as f:

   Issue: Unsanitized filename from user input
   Fix: Validate and sanitize filename

   Suggested Code:
   import os
   filename = os.path.basename(request.args.get('filename'))
   safe_path = os.path.join('/exports', filename)
   if not safe_path.startswith('/exports/'):
       raise ValueError("Invalid path")

Suggested Reviewers for Security

When MR contains security-sensitive changes:

MR #456: Update authentication logic

Suggested Reviewers:
1. @security-team (Required)
   Reason: Changes to authentication

2. @john-security-expert
   Reason: Previously reviewed auth changes
   Expertise: OAuth, JWT, session management

3. @jane-crypto-expert
   Reason: Changes involve crypto operations
   Expertise: Encryption, key management

Security Dashboard Enhancements

AI-Powered Insights

Vulnerability Trends:

Security Trend Analysis (Last 90 days)

Key Findings:
1. Dependency vulnerabilities increased 23%
    Reason: Outdated renovate configuration
    Action: Update renovate settings

2. SAST findings decreased 15%
    Reason: Code quality improvements
    Action: Continue current practices

3. Container vulnerabilities stable
    Action: Maintain current update cadence

Predictions:
- Next month: Likely 3 critical npm vulnerabilities
- Recommendation: Plan dependency update sprint

Risk Scoring

Project Risk Score: 72/100 (Medium-High)

Risk Factors:
1. 3 Critical vulnerabilities unresolved (14 days avg)
   Impact: -15 points

2. Mean time to remediation: 12 days (target: 7 days)
   Impact: -8 points

3. Security scan coverage: 85% (target: 95%)
   Impact: -5 points

Improvement Plan:
1. Resolve critical vulns (Est. +15 points)
2. Faster triage process (Est. +8 points)
3. Add DAST scanning (Est. +10 points)

Target Score: 95/100 (Low Risk)

Compliance and Auditing

AI-Assisted Compliance

SOC 2 Compliance:

SOC 2 Security Readiness: 78%

Missing Controls:
1. Automated vulnerability remediation (CC6.1)
   Current: Manual process
   Required: Automated tracking
   Solution: Enable GitLab Duo auto-remediation

2. Security training records (CC1.2)
   Current: Not tracked
   Required: Annual training logs
   Solution: Use GitLab audit events

3. Incident response testing (CC7.4)
   Current: No regular testing
   Required: Quarterly drills
   Solution: Schedule in GitLab calendar

Audit Event Analysis

Unusual Security Activity Detected

Event: Multiple failed secret scans
User: deploy-bot
Count: 15 in last hour
Pattern: Abnormal (usual: 1-2 per day)

AI Analysis:
Likely cause: CI/CD configuration change
Risk level: Low (automated process)
Action: Review recent pipeline changes

Event Details:
- All failures in deploy.sh
- Same secret pattern each time
- Recent commit: abc123 (updated deploy script)

Recommendation:
Check commit abc123 for hardcoded secrets

Security Best Practices

1. Enable All Security Scanners

# .gitlab-ci.yml
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

variables:
  SAST_AI_ANALYSIS: "true"
  SECRET_DETECTION_HISTORIC_SCAN: "true"

2. Set Up Approval Rules

# Require security review for changes to:
- auth/**/*
- security/**/*
- api/*/auth.py
- config/security.yml

approvals:
  required: 2
  required_groups:
    - security-team

3. Automate Remediation

security:auto-fix:
  script:
    - gitlab-duo-security scan
    - gitlab-duo-security auto-remediate --safe
  only:
    - schedules
  when: always

4. Monitor Security Metrics

Track key metrics:

• Time to remediation
• Vulnerability by severity
• False positive rate
• Security coverage
• Compliance score

5. Use Security Policies

# .gitlab/security-policies/scan-execution-policy.yml
name: Mandatory security scans
description: Run all security scans on every MR
enabled: true

rules:
  - type: pipeline
    branches:
      - main
      - release/*
    scanners:
      - sast
      - dependency_scanning
      - container_scanning
      - secret_detection
    actions:
      - scan: required
        severity_threshold: high

Troubleshooting

False Positive Detection Not Working

Check:

1. Feature enabled (Ultimate tier)
2. SAST scan completed successfully
3. AI analysis variables set
4. Sufficient code context available

Remediation Suggestions Inaccurate

Improve:

1. Provide more code context
2. Add comments explaining security controls
3. Use standard security patterns
4. Update to latest GitLab version

Secret Detection Missing Secrets

Enhance:

1. Enable custom patterns
2. Increase entropy threshold
3. Check file exclusions
4. Review historical scan settings

Security Incident Response

AI-Assisted Incident Investigation

When security incident occurs:

Incident: Unauthorized access detected
Time: 2025-01-08 14:23 UTC
User: compromised-account

AI Investigation:

Timeline:
14:15 - Login from unusual location (IP: 1.2.3.4)
14:18 - Accessed sensitive repositories
14:20 - Downloaded source code archives
14:23 - Security team notified

Analysis:
- Account credentials likely compromised
- No MFA enabled on account
- Access from known VPN service
- Downloaded 3 private repositories

Recommended Actions:
1. Immediately revoke all tokens
2. Force password reset
3. Enable MFA requirement
4. Audit downloaded content
5. Review commit history for malicious changes
6. Check for new deploy keys
7. Scan for secrets in downloaded repos

Similar Incidents:
- 2024-12-15: Similar pattern, same VPN provider
- Recommendation: Block VPN provider IPs

Resources

• GitLab Security Documentation
• SAST False Positive Detection
• Secret Detection
• Vulnerability Management

Next Steps

• Planning AI - AI for project planning
• Agents - Security-focused AI agents
• Best Practices - Security best practices with AI